jira-importer commented on issue #430: URL: https://github.com/apache/maven-apache-parent/issues/430#issuecomment-2771722866
**[Herve Boutemy](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=hboutemy)** commented ok, I'm really not an expert and not fluent on this topic, then I just did tests: `gpg --verbose --verify file.asc file` shows me ``` gpg: armor header: Version: GnuPG v1 gpg: Signature made Tue May 24 19:34:44 2016 CEST using DSA key ID ........ gpg: using PGP trust model gpg: Good signature from "Herve Boutemy <hbout...@apache.org>" gpg: binary signature, digest algorithm SHA1 ``` ok, now I see the digest used then I tested signing with the new option: `gpg --digest-algo=SHA512 --use-agent --armor --detach-sign --output file.asc file` then verified the result: SHA1 is now SHA512 as expected, without changing anything on my private key: that's what I needed to check (ie it does not add any new expectation on my key) notice I added configuration for SHA512 as proposed in dev guidelines, then added 3 lines at the beginning of my ~/.gnupg/gpg.conf ``` personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed ``` but it did not change the digest used by default: did I do something wrong? at least, now, I'm confident to add the configuration in pom.xml: this won't cause harm to anybody and will just improve the result -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
